Docker Engine, Desktop have maximum severity flaw enabling authentication bypass
Take action: This is an urgent patch if you are using Docker AuthZ authentication. First, check if you can restrict access to the Docker API to trusted networks. Then update Docker engine and Docker desktop to at least 4.33. In the meantime, consider disabling AuthZ plugins.
Learn More
Docker Engine and Docker Desktop has been found to have a critical security vulnerability that may allow attackers to bypass authentication mechanisms.
The vulnerability, tracked as CVE-2024-41110, (CVSS score 10) originates from a regression in Docker's authorization plugin (AuthZ) system. Exploitation occurs when an attacker sends a specially crafted API request with a Content-Length set to 0, causing the Docker daemon to forward the request without its body to the AuthZ plugin. This can result in the plugin incorrectly approving the request, potentially leading to unauthorized actions and privilege escalation.
The following Docker Engine and Docker Desktop versions are affected:
- Docker Engine:
- <= v19.03.15
- <= v20.10.27
- <= v23.0.14
- <= v24.0.9
- <= v25.0.5
- <= v26.0.2
- <= v26.1.4
- <= v27.0.3
- <= v27.1.0
- Docker Desktop: Up to v4.32.0
The vulnerability affects Docker Engine configured to use AuthZ plugins, with the potential for significant impact in production environments where Docker Engine is essential for container orchestration and deployment. Users not utilizing AuthZ plugins or running older Docker Engine versions are not susceptible.
Docker has released patches to address this critical vulnerability. Users are advised to:
- Update Docker Engine: Ensure running versions are updated to beyond v23.0.14 or v27.1.0.
- Update Docker Desktop: Update to Docker Desktop v4.33 upon its release, which will include the patched Docker Engine version. As of 26th of July, the 4.33 version is available, patch now!
If updates cannot be applied immediately, consider disabling AuthZ plugins and restrict access to the Docker API
